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We propose a formal foundation for reasoning about access control policies within a Dynamic Coali- 
tion, defining an abstraction over existing access control models and providing mechanisms for 
translation of those models into information-flow domain. The abstracted information-flow domain 
model, called a Common Representation, can then be used for defining a way to control the evolution 
of Dynamic Coalitions with respect to information flow. 

1 Introduction 

A Dynamic Coalition (DC) is a group of independent organisations collaborating towards the achieve- 
ment of a goal that the member organisations could not achieve alone. The dynamic character comes 
from the fact that membership, and the capabilities of members, may change over time. The hetero- 
geneity of the DC membership, bringing together organisations with very different policies governing 
access to their services, gives rise to security concerns that would normally not be associated with a 
well-defined static organisation. In order to collaborate effectively, resources need to be shared between 
the participants. Many DCs emerge through ad-hoc assembly but it is nevertheless desirable to engineer 
infrastructure and policies to enable aspects of the behaviour of coalitions to be verified in advance of 
operation. 

We treat a dynamic coalition as a group of autonomous communicating agents (the coalition mem- 
bers) (HHl. Each member provides services that may be requested by other members and which may 
entail the granting of access to resources. Each organisation that participates in a DC may be represented 
as a whole as one member of the DC or as number of members. The level of abstraction in this case 
depends on the desired level of atomicity of an agent. For example, in the naval context an agent may 
represent the whole of a vessel or merely the vessel's captain. 

Much of the challenge in designing information flow policies and infrastructure to support a DC lies 
in coping with the changing membership with the need to potentially renegotiate access and reallocate 
tasks from the workflow Q . 

Ideally, the dynamic properties of membership should not disrupt the operation of the coalition where 
both availability and confidentiality are equally significant. These important requirements are often over- 
looked and simplified (at least for dynamically reconfigurable systems) by, for example, assuming that 
the operations can be suspended while the reconfiguration takes place JT] \T3\ QjO ; in reality one cannot 
suspend operations while adding new agents and assessing the impact of new agents. Furthermore, as 
with most complex systems, security is often added after the design stage as a bolt-on, which is unac- 
ceptable where confidentiality and dependability of information is a significant factor. The problem of 
maintaining security properties of a dynamic coalition are further compounded by heterogeneity - having 
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numerous agents that potentially have different and conflicting access control policies. This gives rise to 
the need to be able to reason about and assess the impact of dynamic changes on coalition membership. 

This paper focuses on security considerations in DC and proposes the use of a Common Representa- 
tion (CR) that allows coalition designers and architects to evaluate the effects of changes in membership 
of a coalition and interaction between agents. The common representation describes information flows 
between agents and resources within a DC. Functions over the CR describe ways of analysing the com- 
position of numerous access control policies, the impact of agents joining and departing a coalition, 
coalition merging, and conflicts that may arise during a coalition's life. 

By introducing the common representation, the paper addresses the problem of managing access 
controls in dynamic coalitions where there already exist access restrictions between subsets of agents 
without having to design yet another access control model. Having a set of algebraic expressions also 
allows coalition engineers to reason about the liveliness (ability of the coalition to complete its goals) 
and the confidentiality properties of different configurations of access control restrictions. 

The CR, in turn, is a foundation block of a Security Meta-Policy (SMP) which is used to guide and 
control the evolution of a DC by specifying security properties that must be preserved every time there 
is a change in the coalition and by describing how security -related changes must be implemented. 

The paper consists of three parts. First, we first consider various access control methods in use 
today (Section [2]). Second, then we look at how the common representation is expressed using directed 
graphs (Section[3]> and show how a selection of current access control methods can be expressed in terms 
of this common representation (Section [4]). Finally we examine the use of the common representation to 
define approaches to coalition composition (Sections[5]and[6]>. We end with conclusions and a discussion 
of future work. 

2 Access Control in Coalitions 

As the information within a coalition is shared between various agents, some of whom may be com- 
petitors, the ability to guard the information against misuse and to prevent this information from leaking 
uncontrollably from the coalition is of paramount importance. 

For the purposes of the present study we treat each DC member as a single entity. In practice, 
members may themselves be composed of individuals that receive data and issue responses on behalf of 
the member as a whole. We also assume that each individual tasks in the workflow being executed by 
the DC may entail invocations a single service by a single agent. We therefore assume that the workflow 
has been broken down to a relatively low level of granularity. We revisit these assumptions in Section [7] 

The most elementary form of access control is Discretionary Access Controls (DACs). In a DAC 
model, either the owner or the custodian, of information or resource has full discretion over who and at 
what level (e. g. write, read) is permitted access to the resource. While this form of access control may 
have its place in an organisation, the risk of information misuse and leakage is too great for DACs to be 
practically used in a DC. 

There already exist numerous non-discretionary access control mechanisms that are used in organi- 
sations today. The non-discretionary access controls are typically predefined and are managed centrally. 
The two that are most prominently used are Lattice-Based Access Controls (LBACs) iTTTI and Role-Based 
Access Controls (RBACs) |[T6ll . LBACs are very popular in military and other government organisations 
as this model is compatible with the 'need-to-know' security principle whereby every participant and 
piece of information is classified based on set criteria. While such an approach may be perfect for one 
organisation, different organisations have different classification criteria; for example, the US and the 
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UK military have different clearance levels. If LBACs were to be used in a DC, then all participants 
and information would have to either be reclassified based on new common criteria or each participating 
organisation would have to communicate through a trusted agent that would be responsible for ensuring 
that only permitted information can leave the organisation. Both of these solutions are unacceptable, 
as the first one creates a huge overhead for each new organisation wishing to join the coalition, and 
the second one creates choke points which limits communication bandwidth between the agents. Addi- 
tionally, non-government organisations may be unfamiliar with or not structured around LBACs, which 
introduces another complication for interactions between government agencies and private companies as 
the two are considered to have different priorities with respect to the information security — Clark and 
Wilson argued [7 ] that military is concerned with confidentiality, while for private companies integrity is 
more important. 

RBAC is a more flexible scheme than LBAC whereby access is granted based on the role of the 
participant. When the agents were to interact across organisation boundaries, new roles would have to 
be created in each organisation based on the involvement of the interaction. RBACs still need to be 
controlled through a centralised authorisation system, which leads to unreasonably high administration 
overhead for large systems, especially when the participants may not necessarily be well-known to the 
administering authority. Furthermore, without frequent reviews, in the real world, RBACs are known to 
have a privilege accumulation problem, where participants retain privileges that are no longer required 
and may lead to information leakage when misused. 

Freudenthal et al. ifTUll have attempted to address some of the drawbacks of the RBACs in distributed 
environments through Distributed Role-Based Access Controls (dRBAC) as part of a larger project on 
Distributed Coalition Infrastructure ifTTIl . While dRBAC is a significant step in terms of ensuring a degree 
of trust and distributing the responsibility for creation of roles, this approach relies on creating new roles 
for participants and is still prone to privilege accumulation. 

In the context of DCs, all of the above methods of access control require conversion of agents' 
policies from one to another. Performing such conversion will require a set amount of time during 
which the coalition membership must remain constant; depending on the rate of change of membership, 
such constraint may be unfeasible. On top of that, none of the aforementioned access control methods 
address security policy compatibility across the participants of dynamic coalitions, and providing strong 
guarantees that information will not traverse through organisational boundaries and end up in the wrong 
hands is nearly impossible without such analysis. 

There already exist security policy description languages like Ponder O, EPAL, XACML and 
Hyperproperties flU. These languages rely on the premise that the policies will be specified in a particular 
description language and then translated to models or implemented in a way that the agents understand. 
The approach taken in the CR is the opposite — the existing security policies are abstracted and compared 
for compatibility. 

While the above-mentioned access controls could work to a degree in dynamic coalitions, there is still 
a great focus on who can access what, instead of managing the information flow directly. The Common 
Representation that we propose in this paper is intended to translate access controls from the domain of 
subjects and objects to information-flow domain and analysing the impact of such flows directly. The 
information-flow domain allows us to reason how information is exchanged between agents in a coalition 
and what information agents might be privy to. 
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3 Common Representation 

Common Representation (CR) provides a fresh approach to a policy-neutral method of defining access 
control constraints for a dynamic system by focusing on the flow of information within that system. 
In the context of dynamic coalitions, this represents the information exchange between agents and re- 
sources. The CR also allows coalition architects to reason about and analyse the effects of permitting 
new interactions between agents on confidentiality and what the impact departures of agents have on 
availability of information. 

The robustness of CR stems from an observation that groups of agents joining a coalition already have 
an access control policy guarding the interaction between them. Thus, to provide secure communication 
efficiently, merely providing a bridge between various groups of agents would suffice, deferring all access 
control to run-time. 

3.1 Elements of a CR 

CR only concerns itself with read and write privileges as these are the only ones that cause information 
to be exchanged. If any other access control modes lead to data flows, e. g. execute privilege, those, too, 
can be refined down to read and write operations. 

A common representation is a directed graph CR=(I,F) where interfaces, I, represent vertices and 
flows, F CI xl, represent edges. 

An interface is an abstract representation of a communication port. There are two types of inter- 
faces: explicit and implicit. An explicit interface is an interface that represents a tuple of a resource 
and an access mode, e. g. (ri,(w)); this type of interface an be either active (send/write) or passive 
(receive/read). An implicit interface can only represent an agent and can be both active and passive. Im- 
plicit interfaces are an important utility in modelling information flows where information is exchanged 
without a dedicated (or perceived) resource, for example, in face-to-face communication. Any agent can 
have numerous implicit interfaces. The choice of what type of interface to use largely depends on the 
desired level of abstraction required by the security policy, although the decision has repercussions on 
the operations as well as the ability to analyse resulting information flows. 

Flows in the CR graph are used to represent permitted information exchange paths between interfaces 
and are expressed as pairs of interfaces. A read from i a to if, would be expressed as (i a ,ib) while a 
write from i a to ii, would be expressed as (ib,i a )- Each flow is asymmetric and if a flow (i a ,ib) exists, 
there is no implication of a complementary flow (ib,i a )- The flows are always expressed left-to-right, 
i. e. (ifromJto)- Any flow expressed as (i a ,ib)> could mean either i a { ead ib or ij, wrUe ) i a , which are 

from to 

equivalent. This equivalence and asymmetry means that a CR will require two flows to represent a bi- 
directional exchange of data: (i a ,ib), {h^a)- Bi-directional flows are called complementary — two flows 
/ and f~ l are complementary if and only if / = (i a ,ib) A/ -1 = (ib,i a )- 

Directed representation of flows has a notable side effect — "read" and "write" lose their semantic 
meaning when converted into information flows — the only way that the original nature of a particular 
flow would be preserved is if at least one of the interfaces is explicit; this highlights the importance of 
not relying on implicit flows. 

Access, with respect to the access control policies, is an operation which leads to information being 
exchanged between objects and subjects. Thus by expressing the common representation as a directional 
graph of information flows we can reason about information access within the coalition. 

The nature of any DC is that access can be granted or revoked on several occasions. This level of 
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abstraction allows explicit interfaces to be destroyed and instantiated on-request (when an agent leaves 
the coalition for example) thus fulfilling the demand for dynamic changes in access controls to a resource. 
Additionally, each agent can have its own dedicated interface to each of the resources shared by other 
agents. Thus when an interface is destroyed because an agent leaves, other agents can still retain access 
to the same resources in the coalition. 

Additionally, this representation allows any resource to have multiple interfaces, a concept which 
could be used to model polyinstantiation — an explicit interface would be a third order object in the 
mapping of A — > R — > I. 

3.2 Granting Access 

Securing the interaction between agents is based on the Clark- Wilson model [7 ] around a Trusted Com- 
puting Base (TCB) described by Lampson et al. lH4l . The Clark- Wilson model refers to the notion of 
mediated access between an object and a subject: Subject — > Mediator — > Object and TCB brings 
about various requirements, like hardware and software support, for the mediator. The TCB refers to 
the mediator as a reference monitor, which in itself is an abstract representation. The reference monitor 
consists of numerous security kernels. Each security kernel is made of trusted and verified software and 
hardware. As these security kernels are verified and are trusted to perform within specification, only the 
security kernels are permitted to interact between agents. Therefore, removing the need to rely on correct 
behaviour of any agent. 

Access, by definition, is a process where information flow occurs from a to b. From this definition, 
granting access from one interface to another within the CR is simply the matter of verifying whether a 
particular flow is permitted. 

In the absence of SMP and any other constraints, the default behaviour for a security kernel for 
granting access between to interfaces can be described by a simple function grant. For brevity, in this 
paper, we will assume that access will only be granted if the CR is authoritative over both interfaces, 
otherwise the result of the function is undefined. For a CR to be authoritative over an interface, the 
interface must be defined in the vertices of the CR graph. 

grant: / x / x CR -> B|undef 

, r . f . ,^l(h,h)€fs if{»i,*2}Ci, 
grant(n,i 2 , (»„/,))< , , . . 

I undet otherwise 

4 Representing Basic Policies 

The previous section gave an overview of the structure of common representation. This section will 
discuss how common access control policies like those described in Section [2] are mapped into common 
representation. 

4.1 Discretionary Access Controls 

Discretionary Access Controls are typically expressed as a Capability Lists or Access Control Lists 
(ACL), either of which is derived from an Access Control Matrix (ACM). An access control matrix is a 
table describing permitted interactions between objects (01,02,03) and subjects (s\, S2,Si). An example 
ACM is shown in Tabled] 
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Table 1 : Simple Access Control Matrix 

The access control matrix is a form of discretionary access control where the permission mapping 
between subjects and objects remain fairly static and well-defined at any one time. The next two access 
controls fall into a non-discretionary access controls category where instead of having a clear definition 
of interactions, access is granted based on a set of predefined criteria. 

The access control matrix shown in Table[T]can be described as an access control list: 

{o 1 ^{(s 1 ,(R)),(s 3 ,(R)),(s 3 ,(W))}, 

02h+{(ji,(W>),(.S2,(W>)}, 

03 ^{(ji,(R)) ) (ji,(W)),(j3,(R))}} 

For any ACM that describes access controls between a set of subjects, S, and a set of objects, O, 
the DAC can be translated to a CR containing O U S as the set of interfaces. The flows of the CR 
are based on the read- and write- operations permitted by the access controls. ACLs are expressed as 
mappings from objects to a set of subjects and access modes those subjects have to a particular object: 
ACL : O — > &{S x M). Translating an ACL to CR once objects and subjects have been mapped to 
interfaces is only a matter of determining resulting 

{((j, (R», (o, (W»)|o G O, (s, <W» G ACL{o)} 

U 

{(0, (R)),(s, (W)))|o G O, (s, <R» G ACL(o)} 
Capability Lists can be translated into common representation in a similar manner. 

4.2 Lattice-Based Access Control 

A Lattice-Based Access Control policy typically consists of three components: subjects, objects and 
labels. Each subject and object is marked with a label, then the labels are organised into a partially 
ordered dominance hierarchy (L, <£), a special abstract function A : SU O — > L is then used to determine 
the label associated with each object or subject. 

The most commonly used LB AC policy is the Bell-LaPadula security model 0. The underlying 
principle of the model is that access is determined by the dominance relationship between the object and 
the subject and that the subjects and objects are interchangeable for the purpose of modelling. The model 
states that A can write to B and B can read from A if A (A) <£ A (B). This model reflects the equivalence 
of flows in the common representation that was discussed earlier. 

The derivation of the common representation for LBACs is similar that for DACs except that read- 
and write- flows are treated differently. Let us assume that set / is a union of S and O. Total flows are 
derived as 

{(/l,/ 2 )|/l,i2 El k 7^2AA(l'l) <lA(/2)} 
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4.3 Role-Based Access Controls 

Role-Based Access Controls differ from the access controls described above in that there the relationship 
between objects and subjects is not defined within the access control, instead, the subject acquires privi- 
leges based on the role assignment. The implication of this phenomenon is that while it remains possible 
to derive the flows of information within each role across different roles, the representation of informa- 
tion exchange between subjects is deferred until the subject is assigned a particular role. Additionally, 
there is a notion of role seniority, where a senior role absorbs permissions of junior roles associated with 
it. 

There are two components that are involved in expressing an RBAC: role assignments and role hi- 
erarchies. The role assignments consist of a mapping from a role to the privileges that role grants: 
RA: R — > S?{0 x M). The role hierarchy is represented with the role seniority relationship: RHC RxR. 
Due to this seniority relationship, it is necessary to determine transitive closure of each role described 
by the hierarchy. This can be done using Warshall's algorithm [ 19] or a similar algorithm described by 
Osborn 031. which is more closely related to role hierarchies; let the transitive closure over RH be RH + . 
The mapping of senior roles, seniority: R — > &{R), to junior roles can then be obtained through: 

seniority= {rj\(r, rj) G RH + } 

we can then go on to determine what privileges a specific role gives using privileges :S->^(Ox Mode) : 

privileges= [J{/?A(r j)\r j 6 seniority (r)} U RA(r) 

and finally, we can derive the flows that arise in the RBAC based on roles and the role hierarchy: 

flows= \J{{((o, (R», (o, (W)))|(o, (R)), (o, (W» G privileges^)} \r G R} 

5 Compositionality of CRs 

Having looked at how individual access control policies can be translated into the common representa- 
tion, we can now look at how these common representations can be combined together to form an overall 
common representation of information flow for the whole of a dynamic coalition. 

All operations on CRs assume that the names of the interfaces in all CRs, which are involved in 
a particular operation, are named consistently. That is, if CR X contained interface named i a and CR 2 
contained interface named i a , then both CRs refer to the same, identical interface. 

There are two composites that can be formed from a collection of common representations - the Sim- 
ple Composite and the Priority Composite. Both operations have equal precedence. Thus it is important 
to explicitly group expressions containing both of these composites. 

5.1 Simple Composite — Merge 

When two groups of agents join to form a coalition, their respective common representations need to be 
merged together to form a coalition-wide representation of information flows. The most likely scenario 
for a coalition formation is when the agents in separate groups are isolated from other groups in terms of 
access privileges. This merge is achieved by performing a simple composite. 

The simple composite is the most straightforward way of combining numerous common representa- 
tions. This composite favours permit-type, flows and will effectively result in a less strict policy overall 
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compared to any individual common representation. 

merge: CRxCR^CR 

merge ((i a ,/ a ), (hjb)) = (i a U i b ,f a Uf b ) 

This merge operation will result in a graph of order two or higher, if the two merging CRs do not have any 
interfaces in common, as a case with independent All simple composites have commutative properties 
when applied as a distributed operation over a set of common representations. 

5.2 Priority Composite — Append 

Numerous times during the evolution of a dynamic coalition, a group of unassociated agents will in- 
evitably join an existing coalition. When a group of agents joins in, the flow restrictions defined by the 
established coalition must be respected, thus any group that is merging-in will only create flows to the ad- 
ditional agents. This type of merging is called a priority composite, with priority given to one common 
representation. The priority composite is a way of combining common representations which favours 
deny over permit. The priority composite will not allow new flows to be created for existing interfaces 
where there does not exist a flow already. 

append: CRxCR^ CR 

append((i a ,/ a ), (i b ,f b )) 4 (i a Ui h ,f a U {f\f G f h ■ {f,f- [ }nf a = 0}) 

The priority composite is a non-commutative operation and operates over an ordered set of common 
representations with a left-to-right order. 

6 Analysing CRs and Composite Properties 

In this section we will look at how CRs can be analysed and look at how we might determine conflicts. 

We can use a CR to determine the degree of availability of information flow paths within a DC using 
simple graph theory. For example, in determining whether there is a potential for information to be 
exchanged between two agents, we can check whether there exists a walk between the relevant interface 
of said agents. This is an important aspect when determining whether a particular interface is critical to 
the operation of the DC. We can derive the availability graph CR A of CR by replacing all complementary 
flows in CR with an edge in CR A . The availability graph is an undirected graph and serves the purpose of 
determining whether information can flow between the interfaces of the DC. If the number of components 
in CR A is equal to one then we say that the liveliness property of a DC holds. 

We will now proceed to look at conflicts in CRs. A CR conflict is said to occur when one common 
representation contains a flow between any two interfaces, and the second one does not contain a flow 
between the corresponding interfaces. 

6.1 Identifying Conflicts 

The first step to analysing any composite is to be able to identify conflicts between different common 
representations. 

conflicting: CR x CR ->• B 

conflicting((j a ,/ a ),(j f ,,/ i ,)) = 3j 1 ,i 2 G (i a Di b )-h // 2 A(/i,/ 2 ) (f a nf b ) 
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6.2 Analysing Conflicts 

We can further expand on conflict resolution by zooming in on specific properties of CRs. For example, 
we can identify all flows that are permitted in interfaces a but denied in b are determined by expression 
in ( |6.2[ ). Note that, in this case, a conflict may only arise if both CRs include identical interfaces. For 
example, given two CRs 

CR 1 = ({j a ,jfc,i c },{(j fl ,j c ),(^,j c )}) 

and 

CR 2 = ({i a ,ic,id},{( i aJd),(id,i c )}) 
the only conflict that arises is (i a ,i c ), as i b is not a vertex in CR 2 and is not a vertex in CR 1 . 

conflicts : CRxCR^F 

conflicts((i a ,/ a ),(i fe ,/fc)) = (6.2) 

{ 0'i , h) |V/i , h g (j a n / 2 ) • /i / 12 a (ii , h) (/ a n f h )} 

Similarly, flows common to both a and b can be identified from the intersection of edges of CR graphs a 
and b. Finally, the flows that are different to both a and b: 

diffs: CRxCR-^F 

diffs((_,/ fl ), (_,/„)) 4 (f a uf b )-(f a nf b ) <6 '" 

6.3 Compositionality Policies 

With the aid of algebraic operations described above, coalition architects can define compositionality 
policies which can then be used during the lifetime of the coalition to automate the process of assimilating 
groups of agents into the coalition without having to suspend operations while policies are integrated. 
Such policy may state, for example, "Conflicting policies A and B may be combined if the conflicts are 
limited to complementary flows of A, otherwise, the composite policy must not create extra permissions 
than those already defined by A". This can be expressed as: 

if V/ G conflicts (A, B) ■ 3f G flows (A) ■f f = f~ 1 
then merge (A, B) 
else append (A, B) 

where flows is an abstract function determining information flows within a graph. 

Defining policies like these is one of the purposes for the Security Meta-Policy framework which 
takes the primitives of access controls and security policies and describes ways to constrain them and 
perform operations on policy-neutral representations in order to expedite the integration of new agents, 
impose coalition-wide constraints on policies and provide a mechanism for evaluating the effects of 
policy manipulation. 



7 Conclusion and Future Work 



In this paper we looked at a novel way of modelling security using a CR, how a CR is structured and 
discussed ways of representing various access control policies in the information-flow domain. We also 
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have demonstrated how a CR can be used to address availability and confidentiality of the CIA security 
triad. Once the policies are expressed in CR, we looked at various operations for composition and 
analysis of policies. 

The CR preserves the access constraints expressed in access control and security policies by design 
and compositional algebra, provides a way of manipulating not only different, but also conflicting poli- 
cies. While this approach is sufficient for simple problems, dealing with more advanced concepts, like 
Separation of Duty or Brewer-Nash Models, requires the use of additional layer of parametrisation over 
the CR as well as the ability to define conditional evaluation operations. This layer is provided by the 
Security Meta-Policy Framework which is an ongoing work. The CR is put to use in the Security Meta 
Policy where the CR expression algebra is used for determining effects of changes in dynamic coalitions. 

When the CR combined with a Security Meta-Policy, there exists a possibility to group interfaces by 
semantic meaning together to form blocks, modifying the definition of CR to CR: (B, F) where BC 
and FC g?(B xB). Each block can represent, for example, a set of interfaces that have unrestricted flow 
of information between each other, or a set of interfaces where flows are forbidden, or where the number 
of flows is limited between the interfaces from a block to any other block. This also allows us to model 
interactions that were previously not possible in other access control methods, like groups of people. 

Additionally, given that CR is essentially a graph, it should be possible to define logic for optimisation 
of flows, thus reducing the number of unnecessary edges which in turn enforces the principle of least 
privileges. Another way of optimising the CR would be to group various complimentary interfaces 
together into individual blocks (enabled by the use of SMP). This approach would reduce the complexity 
of operations but would have a side effect of limiting the ability to precisely express details of interaction. 

Coming back to the assumptions made in Section [2| we can now see how the atomicity of agents 
and granularity of tasks would affect the structure of the CR. However, this should not be a problem 
when translating existing security policies into CR, as the desired levels of atomicity and task granularity 
should already be pre-defined in the source policies. When new tasks are created, or agents added, and a 
new CR is generated to include the desired changes, the new CR can be checked for conflicts against the 
existing CR using techniques described in Section[6] Results of such checks can be used to gauge whether 
there needs to be a further division of tasks or whether a particular flow is too permissive. This logic can 
also be included into the SMP to automate the decision making process and change configuration of the 
DC on-the-fly. 

Finally, work on CRs could be linked with work on insider threat modelling described by Chinchani 
et al (61 [T2J . These models, at the most fundamental level, rely on interaction graphs between different 
nodes of network to determine what node is exposed to what information. Such approach is similar 
to what common representation provides, thus by moving elements of insider threat modelling into the 
common representation, the risk of insider abuse could be analysed and mitigated. 
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